Researchers show how to break quantum cryptography by faking quantum entanglement

Quantum cryptography is secure, provided you can ensure that the correlations …

Quantum cryptography has been pushed onto the market as a way to provide absolute security for communications. It is already used in Swiss elections to ensure that electronic vote data is securely transmitted to central locations. And as far as we know, no current quantum cryptographic system has been compromised in the field. This may be due to the work of security researchers who spend all their waking moments—and quite a lot of their non-waking moments—trying to pick the lock on quantum systems.

Their general approach can be summed up as follows: if you can fool a detector into thinking a classical light pulse is actually a quantum light pulse, then you might just be able to defeat a quantum cryptographic system. But even then the attack should fail, because quantum entangled states have statistics that cannot be achieved with classical light sources—by comparing statistics, you could unmask the deception. In the latest of a series of papers devoted to this topic, a group of researchers has now shown that the statistics can also be faked.

Quantum cryptography relies on the concept of entanglement. With entanglement, some statistical correlations are measured to be larger than those found in experiments based purely on classical physics. Cryptographic security works by using the correlations between entangled photons pairs to generate a common secret key. If an eavesdropper intercepts the quantum part of the signal, the statistics change, revealing the presence of an interloper.

But there's a catch here. I can make a classical signal that is perfectly correlated to any signal at all, provided I have time to measure said signal and replicate it appropriately. In other words, these statistical arguments only apply when there is no causal connection between the two measurements.

You might think that this makes intercepting the quantum goodness of a cryptographic system easy. But you would be wrong. When Eve intercepts the photons from the transmitting station run by Alice, she also destroys the photons. And even though she gets a result from her measurement, she cannot know the photons' full state. Thus, she cannot recreate, at the single photon level, a state that will ensure that Bob, at the receiving station, will observe identical measurements.

Inside a single photon sensitive detector

The detectors are a special type of photodiode that turn a single photon into a very large electron current. One photon is absorbed, creating a free electron. That electron is accelerated vigorously by an applied electric field. In a very short distance, the electron reaches high enough speeds that when it collides with an atom, it knocks an electron or two free. These electrons are also accelerated, and the process proceeds in geometric fashion so that one photon creates a large and measurable current.

If that was the end of it, the photodiode would destroy itself after one photon. To prevent this, the control system detects the current spike and reduces the applied electric field, which shuts down the avalanche of electrons. Once the current has stopped, the field is increased again to ready the detector for the next photon. It is during this process that the photodiode is vulnerable. If the light field is not a single photon, but just a little more intense, then the diode never turns the avalanche field back on. At this point, the photodiode is not sensitive to single photons anymore. But it can still report what it thinks are single photons, provided that it gets hit with a light field that is sufficiently intense.

You might be wondering about the feasibility of all this. If the time it takes for the photodiode to recover is just 1ns, then a light field consisting of, on average, one photon per nanosecond (just a few picowatts of optical power) is sufficient to keep the photodiode out of avalanche mode. Then, if you increase the power 100 fold (e.g., to less than a nanowatt), the photodiode is fooled into reporting the arrival of a single photon. So that's all very feasible.

That is the theory anyway. But this is where the second loophole comes into play. We often assume that the detectors are actually detecting what we think they are detecting. In practice, there is no such thing as a single photon, single polarization detector. Instead, what we use is a filter that only allows a particular polarization of light to pass and an intensity detector to look for light. The filter doesn't care how many photons pass through, while the detector plays lots of games to try and be single photon sensitive when, ultimately, it is not.

It's this gap between theory and practice that allows a carefully manipulated classical light beam to fool a detector into reporting single photon clicks.

Since Eve has measured the polarization state of the photon, she knows what polarization state to set on her classical light pulse in order to fake Bob into recording the same measurement result. When Bob and Alice compare notes, they get the right answers and assume everything is on the up and up.

The researchers demonstrated that this attack succeeds with standard (but not commercial) quantum cryptography equipment under a range of different circumstances. In fact, they could make the setup outperform the quantum implementation for some particular settings.

The researchers also claim that this attack will be very difficult to detect, but I disagree. The attack depends on very carefully setting the power in the light beams so that only a single photodetector is triggered in Bob's apparatus. Within the detector, the light beam gets divided into two and then passed through polarization filters and detected. For a single photon beam, this doesn't matter—only one detector can click at any one time. But Eve's bright bunch of photons could set multiple detectors clicking at the same time. If you periodically remove filters, then Eve will inadvertently trigger more than a single photodiode, revealing her presence.

Chris Lee / Chris writes for Ars Technica's science section. A physicist by day and science writer by night, he specializes in quantum physics and optics. He lives and works in Eindhoven, the Netherlands.